AMENDMENTS TO THE DRAWINGS : 

The attached Replacement Sheets include changes to Figvires 1, 2, 3 and 4. These 
sheets replace the original sheets containing Figures 1, 2, 3 and 4. No new matter has been 
added. 
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REMARKS 



This Preliminary Amendment cancels, without prejudice, claims 1-12 in the 
underlying PCT Application No. PCT/DE2004/001326 and adds new claims 13-24. The new 
claims, inter alia, conform the claims to United States Patent and Trademark Office rules and 
do not add any new matter to the application. 

In accordance with 37 C.F.R. § 1.125(b), the Substitute Specification (including the 
Abstract) contains no new matter. The amendments reflected in the Substitute Specification 
(including Abstract) are to conform the Specification and Abstract to United States Patent 
and Trademark Office rules or to correct informalities. As required by 37 C.F.R. §§ 
1.121(b)(3)(ii) and 1.125(c), a Marked-Up Version of the Substitute Specification comparing 
the Specification of record and the Substitute Specification also accompanies this Preliminary 
Amendment. Approval and entry of the Substitute Specification (including Abstract) are 
respectfixUy requested. 

It is respectfiiUy submitted that the subject matter of the present application is new, 
non-obvious, and usefiil. Prompt consideration and allowance of the application are 
respectfiiUy requested. 



RespectfiiUy Submitted, 
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METHOD FOR EXECUTING A SOFTWARE UPDATE OF AN ELECTRONIC CONTROL 
UNIT USING FLASH PROGRAMMING VIA A SERIAL INTERFACE AND A 
CORRESPONDING FINITE-STATE MACHINE 



FIELD OF THE INVENTION 

The present invention relates to a method for executing a software 
update of an electronic control unit using flash programming via 
a serial interface - 

5 

Background Information 
BACKGROUND INFORMATION 

A f lao h Flash memory is increasingly used as memory technology for 
10 program stock and data stock in electronic control units. This 
memory technology makes a software update of the control units 
possible by reprogramming the respective flash memory of the 
control units via serial interfaces. The serial interface may be, 
for example, a central of f -board diagnostic interface of a vehicle 
15 via which the flash memory of an electronic control unit of the 
vehicle is reprogrammed using what is known as a flash programming 
tool. A software update is thus possible without removing the 
respective electronic control unit from the vehicle, which results 
in considerable cost savings compared to a control unit exchange 
20 or removal. In the described type of flash programming, high 

security and reliability demands must be met, in particular with 
regard to vehicle service as well as in the area of safety-relevant 
electronic control units . 



25 Only entire flash segments of a flash memory may be deleted or 
reprogrammed in currently used flash technologies. A smallest, 
physically associated, completely deletable or programmable 
memory unit of the flash memory is referred to as a segment . 
Therefore, the deleting and programming steps for flash segments 

30 muot should be differentiated in flash programming. Moreover, it 
Hftistshould be taken into consideration that it is not possible to 
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simultaneously export one program from a flash segment while 
another flash segment of the same flash module is reprogrammed . 
Therefore, the program sections for controlling the programming 
process for a flash module must be, at least temporarily during 
5 the execution of flash programming, swapped out into another memory 
module of the control unit, e.g., into another flash module or a 
free RAM (random access memory) section. 

The limited transmission capacity of the off -board diagnostic 
10 interface results in quite long flash programming times in large 
flash memories of electronic control units. Therefore, shortening 
the flash programming times is a frequent demand in production and 
service . 

15 Furthermore, for liability reasons attention should alwayo be paid 
in flash programming that unauthorized flash programming or flash 
programming using manipulated program or data stock is to be 
prevented to the greatest possible extent. Finally, it should be 
pointed out that flash programming via the mentioned off -board 

20 diagnostic interface ma y alwayo take up a relatively long period 
of time. Aborts of the programming procedure due to possibly 
occurring interferences may be anticipated at any time. Such 
interferences are, for example, failure of the voltage supply of 
a vehicle or of the flash programming tool, incorrect response of 

25 other network control units, interruption of the communication 
link between the electronic control unit to be programmed and the 
flash programming tool used for this purpose, or an operating error . 
A failed authentication and signature check may also result in the 
abort of the flash programming procedure. It io thorGforc may be 

30 necessary to be able to ensure the availability or an immediate 
restart of the flash programming procedure at any time. 

Advantagco of the Invention 

35 The prcocnt invention dcacribGO a method ao rcGitcd in Claim 1 and 
a Gorrcoponding finite otato machine ao recited in Claim 8 . Further 
advantagco and prefcrrod cmbodimcnto arc liotcd in the rcapGCtivQ 
oubclaimo . 
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SUMMARY 

According to Claim l, In one example embodiment^ a method for 
executing a software update of a control unit by flash programming 
5 a flash memory of the control unit having multiple segments via 
a serial interface , the is provided. The demands to be made on the 
flash programming procedure bcing are established in a first step 
of the method, in such a way that a flash programming procedure 
is specified by a finite-state machine which defines the states 
10 and transitions of the software of the control unit and that finally 
availability, security, and reliability requirements of each state 
and each transition of the finite -state machine are checked . 

Different operating states are preferably initially specified for 

15 the software of the control unit when the demands to be made on 
the flash programming procedure are established. A differentiation 
is preferably made between a *^starting state," a ^^normal state," 
and a ''software update state" in this context. Furthermore, the 
transitions between the above-mentioned operating states and the 

20 transition conditions are defined. In a further prof orrcd example 
embodiment of the method, memory arrays of the software of the 
control unit, which are relevant for the flash programming 
procedure, are divided into programmable and non- programmable 
memory arrays and components of the software to be reprogrammed 

25 are correspondingly assigned to the memory arrays. Furthermore, 
the memory arrays of the software arc prof crabl;y m \ay be assigned 
to a memory of the control unit, in particular one programmable 
memory array to a segment of the flash memoiry and one 
non -programmable memory array to a ROM (read only memory) of the 

30 electronic control unit. The limited transmission capacity of the 
off -board diagnostic interface results in quite long flash 
programming times in large flash memories. It -ar gmay therefore be 
desirable to shorten the flash programming times, which is possible, 
for example, by reducing the flash segments to be reprogrammed. 

35 This is preferably achieved by flash programming individual 

software functions or by a separate flash programming procedure 
for the program stock and data stock of the electronic control unit . 
The program stock is frequently already programmed during control 
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unit production, while the data stock is programmed later, e.g., 
at the end of production of a vehicle in a vehicle-specific manner. 
As a result, the boot block, the program stock, and the data stock 
are each stored in segments of the flash memory of the control unit 
5 in a further prcf crrcd example embodiment of the method according 
to the present invention. This means that different software 
functions as well as the program stock and data stock are stored 
in different flash segments. All program sections of the control 
unit, which are needed for communication between the control unit 

10 and a flash programming tool via the of f -board diagnostic interface 
during a flash programming procedure, must be stored, together with 
corresponding flash programming routines, in a flash loader in the 
ROM of the electronic control unit or in a different additional 
flash segment. The program sections, which are needed for the 

15 communication between the control unit and the flash programming 
tool, are divided into programmable and non- programmable sections, 
i.e., a base extent stored in the ROM and referred to in the 
following as the start-up block, and a base extent stored in the 
flash memory and referred to in the following as the boot block. 

20 The start-up block and boot block together provide the software 
functionality of a microcontroller of the control unit necessary 
for flash programming via an off -board diagnostic interface. A 
division into start-up block and boot block j^ emay be expedient for 
a number of reasons. The boot block itself may be reprogrammed if 

25 it is stored, as described, in the flash memory. Furthermore, the 
current status of a flash programming procedure may be stored in 
a non-erasable manner in the boot block so that, for example, a 
restart is possible after an abort of the flash programming 
procedure. The unchangeable base functionality of the start-up 

30 block and an identifier for a hardware variant of the electronic 
control unit may be stored in the more cost-effective and 
non -reprogrammable ROM of the control unit. According to the 
present invention, the program stock and the data stock are each 
stored in a different segment of the flash memory. 

35 

Security, reliability, and availability requirements of the flash 
programming procedure to be executed arc opccificd in may be 
provided by a further preferred embodiment of the method according 
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to the present invention. A transition of a microcontroller of the 
control unit to the "software update" operating state is initiated 
by a flash programming tool. In addition to possibly necessary 
plausibility checks, such as the check for engine shutdown in 
5 engine controllers, which must be carried out prior to completion 
of a driving program and a transition to the ''software update" 
operating state, additional security measures are necessary when 
used in production and service. According to this, it is necessary 
for liability reasons, for example, that unauthorized flash 
10 programming or flash programming using manipulated program or data 
stock is to be prevented to the greatest possible extent . Such flash 
programming procedures should at least be detected and verified. 

Therefore, — f lao h Flash programming access is generally p rotected 
15 ao a rule by two different encryption methods. One method is 

authentication which corresponds to a check of the actual access 

permission and is carried out subsequent to a plausibility check. 

A digital key is used to check whether a user of the flash 

programming tool is actually permitted to execute a software update. 
2 0 A second encryption method is what is known as a signature check. 

The data consistency of program stock or data stock to be 

reprogrammed is checked here. 

During the signature check, a flash programming tool uses a further 
25 digital key to check whether the program stock or the data stock 
to be reprogrammed matches the control unit hardware and whether 
the program stock or data stock to be reprogrammed has been 
improperly manipulated after delivery by the vehicle manufacturer 
to the service organization, for example. Only after successful 
30 completion of the mentioned check should the actual deletion and 
programming of the respective segments of the flash memory be 
enabled or unblocked- Unblocking takes place here using the 
above-mentioned boot block. During specification of the security 
and reliability requirements for flash programming, it should be 
35 ensured that the signature of a microcontroller of the control unit 
is calculated subsequent to flash programming, on the basis of the 
program stock and data stock actually programmed into the flash 
memory in order to detect errors during programming. After a 
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successful signature check, this calculated signature is stored 
in the flash memory. In addition, special memory structures, i.e. , 
program stock and data stock logistics, are stored in the flash 
memory as part of the program stock and data stock. Only after a 
5 successful signature check, the boot block unblocks the activation 
of the new program, a drive program, for example. 

Moreover, the availability requirement of the flash programming 
procedure is preferably specified in the method according to the 

10 present invention. Since flash programming via the off -board 

diagnostic interface may take up a relatively long period of time 
despite the above-described optimization measures, aborts of the 
programming procedure due to interferences may generally be 
anticipated at any time. Such interferences are, for example, 

15 failure of a voltage supply of a vehicle or of a flash programming 
tool, incorrect responses of other network control units, 
interruptions of the communication link between the electronic 
control unit and the flash programming tool used, or operating 
errors. Ao a rulc Generally , failed authentication and failed 

20 signature checks also result in an abort of the flash programming 
procedure. Therefore, it jr emay be important for a design of the 
flash programming procedure to ensure the availability of the flash 
programming procedure under all concQivablc possible circumstances 
This means, for example, that after an abort, a restart of the 

25 programming procedure shall should be ensured anytime in all 

situations. In a further preferre d example embodiment of the method 
according to the present invention, substates, adoptable in the 
"software update" operating state, transitions between them, and 
transition conditions are specified by the finite-state machine 

3 0 during execution of the flash programming procedure. The substates 
may be the ''abort /error message" substate or the 

''completion/ success message" substate. Furthermore, substates for 
authentication and signature check as well as substates for the 
deletion and programming of segments of the flash memory may 
35 preferably be specified. Moreover, it io m ay be desirable to specify 
substates for the swapping-out and flash programming of the boot 
block. Transitions between the mentioned substates and 
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corresponding transition conditions are also specified according 
to the present invention. 

Furthermore, the present invention includes a computer program 
5 made up of program code elements via which predefined availability, 
security, and reliability requirements of each state and each 
transition of an above-described finite-state machine are checked 
automatically when the program code elements are run on a computer 
or on a computer system. 

10 

Finally, the present invention relates to a method for flash 
programming an above -described boot block. A method is provided 
for flash programming a boot block which provides the software 
functionality necessary for executing the flash programming- The 

15 boot block is stored in a first segment of a flash memory. In a 
first step, the old boot block to be reprogrammed is copied into 
a free RAM section. The still active old boot block muot bo is 
swapped out into another memory module of the control. unit during 
flash programming, which means that the boot block muat should be 

20 relocatable. In a second step, the old boot block is subsequently 
activated in the RAM and deactivated in the flash memory where it 
is stored in a first segment. Furthermore, the new boot block is 
temporarily stored in a second segment of the flash memory. This 
step includes deletion of the second segment of the flash memory, 

2 5 programming of the new boot block into the second segment of the 
flash memory, and a signature check for the new boot block in the 
second segment of the flash memory. After an abort during these 
method steps, the flash programming procedure may be restarted 
using the valid, old boot block in the first segment of the flash 

30 memory. In a further step of the method according to the present 
invention, the new boot block is finally programmed by copying the 
second segment of the flash memory into the first segment of the 
flash memory. This step includes deletion of the first flash 
segment, programming of the new boot block into the first flash 

35 segment by copying the second flash segment into the first flash 
segment, and a signature check for the new boot block in the first 
flash segment. After an abort during these method steps, the flash 
programming procedure may be restarted using the valid, new boot 
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block in the second flash segment. One boot block, which is valid 
for restarting the flash programming procedure, is always 
preferably marked in the flash memory. This validity marker itself 
must be stored in a non-erasable manner in the flash memory so that 
5 a restart is possible using this information. In a last step of 
example method according to the present invention, the new boot 
block is subsequently activated in the first segment of the flash 
memory and the old boot block is simultaneously deactivated in the 
RAM. 

10 

BRIEF DESCRIPTION OF THE DRAWINGS 

Further advantages and preferred embodiments of the present 
invention are explained in greater detail on the basis of the 
following figures . 

15 

Figure 1 shows a schematic representation of a specif ication of 
memory arrays of a control unit relevant for flash programming 
according to an example embodiment of the a method according to the 
present invent ion-^^ 

20 

Figure 2 shows a schematic representation of a specification of 
security requirements and measures according to a further 
embodiment of the a method according to the present invent ion-^_^ 

25 Figure 3 shows a schematic representation of states and 

transitions of a boot block during flash programming of the program 
stock and data stock of an electronic control unit-^_^ 

Figure 4 shows a schematic representation of the sequence of an 
30 example embodiment of a method according to the present invention 
for executing flash programming of a boot block. 

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS 

Figure 1 shows an allocation of memory arrays of a software of a 
35 control unit for executing a software update of a control unit by 
flash programming. A control unit 1 having a microcontroller 2 is 
shown. Microcontroller 2 has a microprocessor 3 and three different 
memories, namely a ROM (read only memory) 4, a flash memory 5, and 
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a RAM (random access memory) 6. In addition, control unit 1 has 
a serial interface 7 for coupling to an off -board diagnostic 
interface 8 via which a flash programming tool may be connected. 
A memory allocation of memory arrays of the software of control 
5 unit 1, relevant for the flash programming procedure, is shown in 
the lower part of Figure 1 . The memory arrays are divided into 
programmable and non-programmable memory arrays and software 
components to be reprogrammed are correspondingly assigned to the 
memory arrays. Program sections of microcontroller 2, which are 

10 nccQOQQr y used for communication between microcontroller 2 and a 
flash programming tool via of f -board diagnostic interface 8 during 
flash programming, are divided into start-up block 9 and boot block 
10 . Start-up block 9 and boot block 10 together provide the software 
functionality of microcontroller 2 nQGcaoar yu sed for flash 

15 programming via off -board diagnostic interface 8. The division 
into start-up block 9 and boot block 10 is expedient for a number 
of reasons. Boot block 10 itself, which is stored in a segment A 
of flash memory 11 in the present case, may be reprogrammed. 
Moreover, the current status of the flash programming procedure 

2 0 may be stored in a non- erasable manner in boot block 10, making 

a restart possible after an abort, for example. In contrast, the 
unchangeable base functionality of start-up block 9 may be stored 
in more cost-effective and non -reprogrammable ROM 12. The program 
stock is stored in a further segment of the flash memory, i.e., 
25 a flash segment B, and the data stock is stored in a flash segment 
C. 

Figure 2 shows a specification of security requirements during 
execution of a flash programming procedure. A possible 

3 0 communication sequence between a flash programming tool 13 and a 

microcontroller 2 of a control unit is shown. After plausibility 
check 14, which is carried out via an inquiry on the part of flash 
programming tool 13 and feedback by microcontroller 2 and 
ffittetshould be executed prior to a transition to the ''software 
35 update" operating state, a check is carried out with regard to the 
actual access authorization. This step is referred to as 
authentication 15. A digital key is used to check whether a user 
of flash programming tool 13 is authorized to conduct a software 
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update. The data consistency of the program or data stock to be 
reprogrammed is checked in a further test step 16. This step is 
also referred to as the signature check. Based on a further digital 
key, flash programming tool 13 checks whether the program or data 
5 stock to be reprogrammed matches the control unit hardware and 
whether the program or data stock to be reprogrammed has been 
improperly manipulated since its delivery. The flash segments are 
deleted in a step 17 and the corresponding flash segments are 
subsequently programmed in a step 18 only after successful 

10 completion of the check. After flash programming, the signature 
is calculated by microcontroller 2 based on the program stock and 
data stock actually programmed in the flash memory in order to be 
able to detect errors which occurred during programming. This 
calculated signature check is stored in the flash memory after 

15 successful signature check 19. For this purpose, special memory 
structures, known as program stock and data stock logistics, are 
stored in the flash memory as part of the program stock and data 
stock. The boot block only unblocks activation of the new program, 
such as a drive program, after a successful signature check 19. 

20 

Figure 3 shows in a schematic representation the state and 
transitions of a boot block during flash programming of the program 
stock and data stock. First, during coupling of a flash programming 
tool to the microcontroller via an of f -board diagnostic interface, 

25 the control unit is identified in a step 20 and a transition of 
the microcontroller into the **software update" operating state is 
initiated. If an error is detected in a step 21, the programming 
procedure is immediately aborted with simultaneous output of an 
error message F. The user of the coupled flash programming tool 

30 is authenticated in a further step 22. Here also, the programming 
procedure is aborted accompanied by an error message F if an error 
is detected in a step 23. This is followed by a signature check 
24 which is accompanied by a check of the data consistency via 
hardware /program stock/data stock logistics. Here also, a detected 

35 error 25 is signaled by an abort and accompanying error message 
F. After execution of these steps, deletion 26 of the flash segment, 
in which the program stock is stored, takes place; the new program 
stock is subsequently programmed in a step 2 7 and a signature check 
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28 for the new program stock is carried out. The same steps are 
carried out in steps 29, 30, 31 with regard to flash programming 
of the data stock. If an error is detected during the signature 
check for the program stock and the data stock, an abort takes place 
5 here also accompanied by an error message F. However, if no errors 
are detected, the microcontroller is transitioned to the ^^starting 
state" operating state via a reset in a step 32 . 

Figure 4 dcQcribco tho shows method steps during flash programming 

10 of a boot block. During flash programming, active boot block ^^A" 
muat is initially fee-swapped out into a different memory module of 
the microcontroller, i.e., boot block "A" muot bc is relocatable. 
This may take place, for example, by copying boot block ^*A" into 
a RAM section which is free during the flash programming procedure. 

15 Boot block ^'A" is subsequently exported from the RAM. Restart of 
the programming procedure ffii^&fe rshould be possible, even after 
failed flash programming of the boot block. An error- free boot 
block is sufficient for maintaining availability after an abort. 
The old boot block ^^A" is copied into a free RAM section in a first 

20 step of the method. The old boot block is activated in the RAM in 
a second step which is indicated by the '"A" marking and deactivated 
in the flash memory. The new boot block is temporarily stored in 
a flash segment C. Flash segment C is initially deleted, the new 
boot block is programmed into flash segment C, and a signature check 

25 for the new boot block in flash segment C is carried out. After 
an abort during these method steps, the flash programming procedure 
may be restarted using the valid, old boot block in flash segment 
A. The new boot block is programmed in a third step, which is carried 
out by copying flash segment C into flash segment A. This step 

30 includes deletion of flash segment A, programming of the new boot 
block into flash segment A by copying flash segment C into flash 
segment A, and a signature check for the new boot block in flash 
segment A. After an abort during these method steps, the flash 
programming procedure may be restarted using the valid, new boot 

35 block in flash segment C. The currently valid boot block in the 
flash memory muot should be marked. This validity marker muat should 
be stored in a non- erasable manner in the flash memory so that a 
restart is possible using this information. 
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TVbotract A BSTRACT 



DcocribGd io aA method for executing a software update of a control 
unit by flash programming a flash memory of the control unit having 
5 multiple segments via a serial interface, demands on the flash 
programming procedure being established, a sequence of the flash 
programming procedure being specified by a finite-state machine 
which defines states and transitions of the software, and 
availability, security, and reliability requirements of each state 
10 and each transition of the finite-state machine being checked. In 
addition, described are a corresponding finite-state machine and 
a computer program for automatically checking the availability, 
security, and reliability requirements. 

15 (Figure 1) 
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